rareintel

Overview

Our objective here is to setup Elasticsearch, Logstash, and Kibana to be able to consume PFSense 2.3 syslog feeds for the different modules so that we can create pretty graphs and operational dashboards.

Installation

The first thing that you want to do is install Java. ElasticSearch and LogStash both run jRuby which is a java variant of ruby. Kibana runs NodeJS.

Make sure your system is up to date: sudo apt update && sudo apt upgrade -y

Configure Kibana

Edit the following lines in your /opt/kibana/config/kibana.yml file to look like:

# Kibana is served by a back end server. This controls which port to use.
server.port: 5601
# The host to bind the server to.
server.host: "X.X.X.X"
# The Elasticsearch instance to use for all your queries.
elasticsearch.url: "http://localhost:9200"

Create Index in Kibana

Browser to http://X.X.X.X:5601

Settings Page -> Indices -> Add New

Kibana pfSense New Index

Now you can search, create visualizations, and dashboards of visualizations!!

If anyone has any cool looking pfSense dashboards for 2.3 let me know, I’d like to post some examples.

Looky here, we want ONE app, not 2, figure it out! Listen, I don’t like flipping back and forth. 1) It’s slow, 2) it wastes phone resources, 3) I don’t like installing a bunch of apps, 4) it’s not necessary, 5) I don’t wanna..

Facebook is removing the messaging capability from its mobile web application, according to a notice being served to users: “Your conversations are moving to Messenger,” it reads.…

Hahaha, I 100% agree with this. In fact, after looking at most of the attacks, ‘hacks’, etc. in the past 4 years, there really hasn’t been anything new or innovative. The most innovative things have been compromises in actual software, but those compromises are all due to the same sloppy use of validation of acceptable inputs and outputs.

As to the sophistication of attacks, I think the most sophisticated attackers now are those that are interesting in monetary gain, such as account checkers, headless browsers, etc.

Now, the most sophisticated attacks or compromises that I’ve seen involved outsiders penetrating the infrastructure of the client, sitting dormant and learning their very proprietary systems and coordinating a huge global attack to steal millions of dollars. It was very interesting and it was impressive how they coordinated the live attack with thousands of people executing all within a VERY short amount of time.

You know I really loved the movie Foolproof, it was a pretty fun idea to plan out these attacks in excruciating detail as a thought exercise. Maybe I’ll start doing that here.

These attacks are distributed across many different sources and destination nodes. It appears that the majority of attacks are SSH brute force. Something interesting that I found during these attacks were that they happened to be somewhat intelligent. They were iterating through not only the common default username/password lists, but also iterating through interpolations of domain, whois data, etc. So, that was an interesting find this week.

The rest were fairly generic, except I did see a pretty substantial number of attempts to connect to Netis Routers presumably to exploit a vulnerability that’s been sitting on those devices for a while.

There was also a bit of SIP and DNS traffic. I don’t run most of the probed services on these devices, so these are mostly just scanners. The source of almost ALL of the SSH brute force was from China. It would interesting to see how many nodes they compromise due to poor configuration practices.

Port 23: SSH attacks are primarily brute force login attacks. If anyone is interested I can actually post the username’s they are testing.

Port 3306: MySQL, better lock down your servers. You shouldn’t allow remote access to the server that’s hosting an external site. Generally, these are only open to localhost.

Port 80/443: These look like probes and sessionless requests. So, UDP requests to these ports.

Since 2009, the FTC has seen a significant increase in the number of illegal sales calls – particularly robocalls. The reason is technology. Internet powered phone systems make it cheap and easy for scammers to make illegal calls from anywhere in the world, and to display fake caller ID information, which helps them hide from law enforcement.

I’m not sure if anyone else has seen a dramatic increase in the number of unsolicited phone calls from telemarketers and the like. It seems like over the past 3-4mos the number of calls I’ve been getting has gone from near zero to 1-2/day during the week.

So there is a pattern:

Car Warranty Calls: so obviously the car company and other providers in that chain have disclosed my information to these people.

Website Companies: I registered a couple of domain names for a project I’m working on, so it looks like they are mining the whois information and contacting me with that. Note to self, anonymous registrations in the future.

Random Crap: Then there are the random calls that just don’t make any sense. I think these are likely due to purchasing property and being listed on those purchasing documents.

Well, there ya go. If I get around to it I’ll post the numbers.

So, how do we fix this little problem:

You can file complaints for each call that hits your phone and apparently there are civil penalties.
https://complaints.donotcall.gov/complaint/complaintcheck.aspx

What do you need?

The number called.

The time of the call.

Was it a robocall?

What was the number that called?

What were they calling about?

Submit the complain and keep a record.

You want to also keep a record of the date, time, and numbers when you requested that they stop contacting you.